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Abstract 

We introduce an algorithm for the minimization of deterministic Kripke struc- 
tures with 0(kn log 2 n) time complexity. We prove the correctness and complexity 
properties of this algorithm. 



1. Introduction 

The problem of minimizing automata and transition systems has been widely 
studied in the literature. Minimization involves finding the smallest equivalent 
structure, using an appropriate definition of equivalence, (e.g. language equiva- 
lence or simulation equivalence). In many software engineering applications, au- 
tomata need to be minimized before complex operations such as model checking 
or test case generation can be carried out. 

For different automata models and different notions of equivalence, the com- 
plexity of the minimization problem can vary considerably. The survey JT] con- 
siders minimization algorithms for DFA up to language equivalence, with time 
complexities varying between 0{n 2 ) and 0(n log n). Kripke structures represent 
a generalisation of DFA to allow non-determinism and multiple outputs. They 
have been widely used to model concurrent and embedded systems. An algo- 
rithm for mimimizing Kripke structures has been given in [2]. In the presence 
of non-determinism, the complexity of minimization is quite high. Minimization 
up to language equivalence requires exponential time, while minimization up to a 
weaker simulation equivalence can be carried out in polynomial time (see Q). 

By contrast, we will show that deterministic Kripke structures can be effi- 
ciently minimized even up to language equivalence with a worst case time com- 
plexity of Oikn log 2 n). For this, we generalise the concepts of right language and 
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Nerode congruence from DFA to deterministic Kripke structures. We then show 
how the DFA minimization algorithm of can be generalised to compute the 
Nerode congruence = of a deterministic Kripke structure "K. The quotient Kripke 
structure *7C/ = is minimal and language equivalent to ( K. Our research [4] into 
software testing has shown that this minimization algorithm makes the problems 
of model checking and test case generation more tractable for large models. 

The paper is organized as follows. In Section[2j we introduce some mathemat- 
ical pre-requisites. In Section|3j we give a minimization algorithm for determinis- 
tic Kripke structures. In Section|4} we give a correctness proof for this algorithm. 
In Section [5] we provide a complexity analysis. Finally, in Section [6] we discuss 
some conclusions. 

2. Preliminaries 

We assume familiarity with the basic concepts of deterministic finite automata 
(DFA). A Kripke structure is a generalisation of a DFA to allow multiple out- 
puts and non-determinism. A Kripke structure 7C over a finite set AP of atomic 
propositions is a five tuple 7C = (Q, 2, 6, qo,A), where Q, is the set of states, 
2 = {o"i, ...,cr„} is a finite alphabet, 6 Q <2 x E x <2 is the transition relation for 
states, q is the initial state of "K and A : Q — > 2 AP is a function to label states. If 
\AP\ = k we say that 'K is a fc-bit Kripke structure. 

We say that "K is deterministic if the relation 6 is actually a function, 5 : 
Q x Z — » £>. We let 6* : 2 x S* — > 2 denote the iterated state transition function 
where 5(q,e) = g and cr l5 cr re ) = 5(d*(^,cri, cr n -{), cr n ). Each prop- 
erty in AP describes some local property of system states q e Q. It is conve- 
nient to redefine the labelling function A as A : Q — > given an enumeration 
of the set AP. Then the iterated output function A* : Q x S* — » is given 
by A*(q, <T\, ...,cr n ) = A{5*{q,<T\, ...,a n )). More generally for any q e Q define 
A*(o-i, ...,o- n ) = A*(q,cr 1 , ...,cr„). Given any R c 2 we write = U reR /i(r). We 
let g.cr denote a) and 7?.cr denotes {r.cr \ r e R} for R Q Q. 

We can represent a Kripke structure graphically in the usual way using a state 
transition diagram. For example, a Kripke structure with three bit labels in the 
output is shown in Fig[jjA). 

2.1. Minimal DFA and minimal deterministic Kripke structures 

Let us consider a DFA = (Q,l,,6, q , F) . For each state q e Q of J{ there 
corresponds a subautomaton of J{ rooted at q which accepts the regular language 
JL q (jR) £ 2*, consisting of just those words accepted by the subautomaton with q 
as initial state. Thus £ qo (Jl) is the language accepted by 3K. The language L q (3\) 
is called either the future of state q or the right language of q. J{ is minimal 
if for each pair of distinct states p, q e Q, we have, L p ijK) ± L q {3^)- For any 
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(A) Non minimal Kripke structure K 



(B) Minimized Kripke structure /(, 



(C) 6" 1 function of Kripke structure K 



Figure 1: 3-bit Kripke Structure 

regular language X Q 2* there is a smallest DFA (in terms of the number of 
states) accepting X. This DFA is minimal, and is unique up to isomorphism. 

An equivalence relation = can be defined on the states of a DFA by p = q if 
and only if L P (JK) = L q ijK). This relation is a congruence, i.e. if p = q then 
p. a = q.cr for all cr e E*. It is known as the Nerode congruence. Consider the 
quotient DFA Jl/ =. This is the unique smallest DFA which accepts the regular 
language £, qo (Ji). The problem of minimizing a DFA J{ is therefore to compute 
its Nerode congruence, which will be the identity relation if, and only if J{ is a 
minimal automaton. 

The problem of computing a minimal Kripke structure "K is an analogous but 
more general problem. In this case, the right language JLqi'K) associated with a 
state qofK can be defined by 

£ q (<K) = { (o- u ...,cr n ,a) e Z* x B* | X* q (o- u ...,cr„) = a }. 

As before, "K is minimal if for each pair of distinct states p, q e Q we have, 
-CpCK) ^ £, q (^K). There is again a smallest Kripke structure associated with a 
right language £cFx B k . This Kripke structure is also minimal, and unique up 
to isomorphism. The Nerode congruence for a Kripke structure "K is now defined 
by: 

p = q if and only if A* p {a x , ...,cr n ) = A q (cr u ...,cr„) for all {a u ...,cr n ) e S*. 

and "Kl = is the unique smallest Kripke structure associated with the right lan- 
guage £ qo CK). So the problem of minimising *7C is to compute this congruence. 
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3. Kripke Structure Minimization Algorithm 

Algorithm[T]presents an efficient algorithm to compute the Nerode congruence 
= of a deterministic Kripke structure 7C, which is the same as the state set of the 
associated quotient Kripke structure 7C/ =. We demonstrate the behavior of this 
algorithm on a simple example given in Fig|TjA) as follows. 

The algorithm begins by inverting the state transition table as shown in Fig{l?C). 
Then it creates four initial blocks of states on the basis of unique bit labels which 
are: B\ = {qo,qs}, B 2 = {qitfi}, #3 = {^3} and 5 4 = {q 4 }. Next it is checked 
whether the number of blocks is equal to the number of states \Q\ of the given 
Kripke structure. This is not the case, so the next step is to refine each parti- 
tion block Bj into subsets B(cr, i) of states which have predecessors via each input 
symbol of cr 6 S. This gives B(a, 1) = {q }, B(b,l) = {^5}, B(a,2) = {q{\, 
B(b, 2) = {q u qi}, B(a, 3) = {43}, B(b, 3) = {q3} , B(a, 4) = {44} and B(b, 4) = {44}. 
The next step is to initialize the waiting list W(cr) for each symbol cr 6 Z by in- 
serting the block numbers of all non-empty subpartition blocks B(cr, i) created in 
the previous step. We obtain W(a) = {1, 2, 3, 4} and W(b) = {1, 2, 4}. 

Now the algorithm can refine the initial partition Bi, . . . , B 4 by iterating the 



loop on line 10 until W(cr) = for all cr e Z. For i = 1 and a e S we have 
W(a) = {2,3,4} and B(a, 1) = {q }. We can see that 6(qi,a) = qo e B(a, 1) and 
5(q2, a) = qo e B(a, 1). But both q\ and q 2 are in B 2 . Therefore B' 2 <t B 2 and hence 
no refinement of the partition is possible in this step. 

We proceed with the next iteration of the loop by deleting i = 2 from W(a) so 
that W(a) = {3,4}. Now we have B(a,2) = {q^}. We can see that 6(q ,a) = qi e 
B(a,2). Therefore we have B[ = {q }. Since B\ c B\ we therefore split B[ into 
B 5 = B\ - B[ = {^0^5} - {<?o} = {#5} and B\ = B[ = {^0}. Next we update the 
subsets B(cr, i) and we get B(a, 1) = {q }, B(b, 1) = {}, B(a, 5) = {} and B(b, 5) = 
{^ 5 }. The updated waiting sets are then W(a) = {1,3,4} and W(b) = {1,2,4,5}. 
Next we choose i = 1, cr = a and W(a) = {3,4} and we obtain B(a, 1) = {q }. 
It can be seen that 6(qi,a) = qo 6 a(a, 1) and 6{q 2 ,a) = qo 6 a(a, 1). Therefore 
B' 2 = {q\,q 2 }, but B' 2 <t B 2 and hence no refinement of the partition is possible in 
this case. We delete i = 3 from W(a) and obtain W(a) = {4} and B(a, 3) = {^3}. We 
then find that for q 4 6 5 4 , 8{q^a) = ? 3 e B(a,3). Therefore we have B' 4 = {q 4 }. 
But B' 4 <t B 4 , so no refinement of the partition is possible in this case. Continuing 
in the same way it will be seen that there is no further refinement of the partition 
possible for i = 4 and cr = a and for i = 1, 2, 4, 5 and cr = b both W(a) and W(b) 
become empty. We terminate with five blocks in the partition. These constitute 
the states of our minimized Kripke structure as shown in Fig[TjB). 



4 



Input: A deterministic Kripke structure % with no unreachable states and k 
output bits. 

Output: The Nerode congruence = for "K, i.e. equivalence classes of states 
for the minimized structure TC,,,^ behaviourally equivalent to < K. 

1 Create an initial state partition P = {B q = {q' e Q \ A{q) = A{q')} \ q e Q}. 
Let n = \P\. Let Bi, B n be an enumeration of P. 

2 if n = \Q\ then go to line 
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3 foreach <x e 2 do 

4 for i <— 1 to n do 

5 B(cr, i) = {q 6 5, | 3r 6 Q s.t 6(r, cr) = q}. /*This constitutes the 
subset of states in block B, which have predecessors through input 
cr. */ 

6 count = n + 1; 

7 foreach cr e 2 do 

8 choose all the subsets B(cr, i) (excluding any empty subsets) and put 
their block numbers i on a waiting list (i.e. an unordered set) W(cr) to 
be processed. 

9 Boolean splittable = true; 
10 while splittable do 

n foreach cr e 2 do 

12 foreach i e W(cr) do 

13 Delete i from W(cr) 

14 for j <— 1 to count - 1 s.t. 3t e Bj with 6(t, cr) e B{cr, i) do 
is Create B' ; = {t^BA 6(t, cr) e B(cr, i)} 

J J 

16 if B'. c B; then 

17 B count = Bj - B'r, Bj = B'j 
is foreach cr e £ do 

19 B(cr, count) = {q e B{cr, j) | q £ B comt }; 

20 B(cr, j) = {q<= B(cr, j) \ q G 

21 if j t W(cr) and < |5(cr, j)\ < |5(cr, count)\ then 

22 W(cr) = W(cr) U {j} 

23 else 

24 W(o-) = W(cr) U {count} 

25 cown? = cownf + 1; 

26 splittable = false; 

27 foreach cr e 2 do 

28 if W(cr) ± then 

29 splittable =true; 

30 Return partition blocks B\,..., B count . 

Algorithm 1: Kripke Structure Minimization 



4. Correctness of Kripke Structure Minimization 



In this section we give a rigorous but simple proof of the correctness of Al- 
gorithm [TJ By means of a new induction argument, we have simplified the cor- 
rectness argument compared with dH and 0. First let us establish termination 
of the algorithm by using an appropriate well-founded ordering for the main loop 
variant. 

Definition 1. Consider any pair of finite sets of finite sets A = {A\, A m ) and 
B = {B\, ...,B n }. We define an ordering relation < on A and B by A < B iff 
VI < i < m, 31 < j <n such that Ai c Bj. Define A < B <=> A < B & A ± B. 
Clearly < is a reflexive, transitive relation. Furthermore < is well-founded, i.e. 
there are no infinite descending chains A\ > A 2 > A 3 ... , since is the smallest 
element under <. 

Proposition 2. Algorithm^always terminates. 

Proof. We have two cases for the termination of the algorithm as a result of the 
partition formed on line [T] of the algorithm: (1) when n = \Q\, and (2) when 
n < \Q\. 

Consider the case when n = \Q\ then each block in the partition corresponds 
to a state of the given Kripke structure with a unique bit-label and hence in this 
case the algorithm will terminate on line [30] by providing the description of these 
blocks. 

Now consider the case when n < \Q\. Then the waiting sets W(cr) for all a e S 
will be initialized on lines |7} [8] and the termination of the algorithm depends on 
proving the termination of the loop on line[T0] Now W(cr) is intialized by loading 
the block numbers of the split sets on line [8j There are only two possiblities 
after any execution of the loop. Let W m (cr) and W m+ i(cr) represent the state of the 
variable W(cr) before and after one execution of the loop respectively at any given 
time. Then either W m (o~) = W m+l (cr) U {/} and no splitting has taken place and i 
is the deleted block number, or W m (cr) U {j} = W m+ i(cr) U {?'} or W m (cr) U {k} = 
W m +i(o~) U {/} where j and k represent the split blocks and one of them goes into 
W m (cr) if it has fewer incoming transitions. In either case W m (cr) > W m+ i(cr) by 
Definition [T] Therefore W(o~) strictly decreases with each iteration of the loop on 
line 10 Since the ordering < is well-founded, Algorithm [T] must terminate. 



Now we only need to show that when Algorithm [j] has terminated, it returns 
the Nerode congruence = on states. 

Proposition 3. Let Pi be the partition (block set) on the ith iteration of Algorithm 
[7] For any blocks Bj, B k € P t and any states p e Bj, q e B k if j ^ k then p £ q. 



6 



Proof. By induction on the number i of times the loop on line 10 is executed. 

Basis: Suppose i = then clearly the result holds because each block created at 
line [TJ is distinguishable by the empty string e. 

Induction Step: Suppose i = m > 0. Let us assume that the proposition holds 
after m executions of the loop. 

Consider any Bj, B k e P m . During the m + 1th execution of the loop on line 



10 either block Bj is split into B'. and B'j or Bk is split into B' k and B' k ' but not both 
during one execution of the loop (due to linefTT]). 

Consider the case when B: is split then for any p e B h either p e B'. or p e B". . 
But for any p e Bj and q e B k , p £ q by the induction hypothesis. Therefore, for 
p e B'j or p e B'j p £ q. Hence the proposition is true for m + 1th execution of the 
loop in this case. 

By symmetry the same argument holds when B k is split. 

The following Lemma gives a simple, but very effective way to understand 
Algorithm [TJ Note that this analysis is more like a temporal logic argument than 
a loop invariant approach. This approach reflects the non-determinism inherent in 
the algorithm. 

Lemma 4. For any states p,q e Q, if p £ q and initially p and q are in the same 
block p,q 6 B io then eventually p and q are split into different blocks, p £ Bj and 
q e B k for j ± k. 

Proof. Suppose that p £ q and that initially p,q e B io for some block B io . Since 
p £ q then for some n > 0, and cr\ , . . . , o~ n 6 S, 

A*(p,o- u . . . ,cr„) £ A*(q,cr u . . . ,cr„). 

We prove the result by induction on n. 

Basis Suppose n = 0, so that A(p) ± A(q). By line [TJ p e B p and q 6 B q and 
B p ± B q . So the implication holds vacuously. 

Induction Step Suppose n > and for some <j\, . . . , cr n 6 2, 

A*(p,cri, ...,o- n )± A*(q,o- u . . . ,cr„). 

(a) Suppose initially 5{p, <T\) e B{a\, a) and 6(q, cr{) e B{cri,B) for a ± B. 

Consider when <x = cr\ on the first iteration of the loop on line [TOj Clearly, 
B{o-\, a), B(cri,B) e W(cr) at this point. Choosing i = a and j = i on this iteration 
then since 8{p, o~{) e B{a\,a) we have 

B'. ={te B iQ | 5{t,o-{) e B(o- u a)} c B k 
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This holds because q e B io but 8{q,a\) e Bia\,B) and B(<Ti,a) ± B(a\,p) so 
B{cr\,a) n B(ct\,B) = and hence q £ B\ . Therefore p and q are split into 
different blocks on the first iteration so that p e B' and q e B in - B' . 

By symmetry, choosing i = B and j = i then p and q are split on the first loop 
iteration with q e B' io and p e B io - B' i(j . 

(b) Suppose initially 5{p, <T\), 5{q, <T\) e B{a\,a) for some a. Now 

A*( 6{p, crj), cr 2 ,...,cr n )± A*{ 6(q, cr{), cr%,..., cr n ). 

So by the induction hypothesis, eventually 6(p,tTi) and 8{q,<T\) are split into 
different blocks, dip, cr{) e. B a and crj) g 5^. At that time one of 5q, or 5^ is 
placed in a waiting set W(cr). Then either on the same iteration of the loop on line 
[TO] or on the next iteration, we can apply the argument of part (a) again to show 
that p and q are split into different blocks. 



Observe that only one split block is loaded into Wi&) on lines 21 24 From the 
proof of Lemma [4] we can see that it does not matter logically which of these two 
blocks we insert into Wicr). However, by choosing the subset with fewest incom- 
ing transitions we can obtain a worst case time complexity of order 0{kn logi n), 
as we will show. 



Corollary 5. For any states p,qeQ,ifp^q then p and q are in different blocks 
when the algorithm terminates. 

Proof. Assume that p £ q. 

(a) Suppose at line 3 that n = \Q\. Then initially, all blocks B t are singleton sets 
and so trivially p and q are in different blocks when the algorithm terminates. 

(b) Suppose at line 3 that n < \Q\. 

(b.i) Suppose that p and q are in different blocks initially. Since blocks are never 
merged then the result holds. 

(b-ii) Suppose that p and q are in the same block initially. Since p £ q then the 
result follows by Lemma |4j 



5. Complexity Analysis 

Let us consider the worst-case time complexity of Algorithm [TJ 

Proposition 6.IfK has n states and 2 has k input symbols then Algorithm^has 
worst case time complexity 0{kn log 2 n). 
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Proof. Creating the initial block partition on line [T] requires at most 0(n) assign- 
ments. The block subpartitioning in the loop on line [3] requires at most 0(kn) 
moves of states. Also the the initialisation of the waiting lists W(cr) in the loop on 
line [7] requires at most 0(kn) assignments. 

Consider one execution of the body of the loop starting on line 10 i.e. lines 
13] - [29) Consider any states p, q e Q and suppose that 5{p, <x) = q for some 



<t 6 E. Then the state p can be: (i) moved into B' (line 15 ), (ii) removed from 5, 
(line 17), or (iii) moved into B(cr, i) or B(cr, count) (lines 19 , 20) if, and only if, 
a block i is being removed from W(cr) such that q e B(cr, i) at that time. (Such a 
block sub-partition B(cr, i) can be termed a splitter of q.) 

Now each time a block i containing q is removed from W(cr) its size is less 
than half of the size when it was originally entered into W(cr), by lines 21 24 So 
i can be removed from W(cr) at most 0(log 2 n) times. Since there are at most k 
values of cr and n values of p, then the total number of state moves between blocks 
and block sub-partitions is at most 0(kn log2 n). 



6. Conclusions 

We have given an algorithm for the minimization of deterministic Kripke 
structures with worst case time complexity 0(kn\og 2 n). We have analysed the 
correctness and performance of this algorithm. An efficient implementation of 
this algorithm has been developed which confirms the run-time performance the- 
oretically predicted in Section 5. This research has been supported by the Swedish 
Research Council (VR), the Higher Education Commission of Pakistan (HEC), as 
well as EU projects HATS FP7-231620, and MBAT ARTEMIS JU-269335. 
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